Privacy News Most Chipotle restaurants hacked with credit card stealing malware

[Dean Winchestere]

A cybersecurity attack that hit most Chipotle restaurants allowed hackers to steal credit card information from customers, the burrito chain confirmed.

The company first acknowledged the breach on April 25. But a blog post on Friday revealed the kind of malware used in the attack and the restaurants that were affected.

The list of attacked locations is extensive and includes many major U.S. cities. When CNNMoney asked the company Sunday about the scale of the attack, spokesman Chris Arnold said that "most, but not all restaurants may have been involved."

Chipotle (CMG) said in its blog post that it worked with law enforcement officials and cybersecurity firms on an investigation.

The breaches happened between March 24 and April 18. The malware worked by infecting cash registers and capturing information stored on the magnetic strip on credit cards, called "track data." Chipotle said track data sometimes includes the cardholder's name, card number, expiration date and internal verification code.

To check affected restaurants go here: Chipotle — Security Incident

 

[Fritz]

Way to go with that magnetic stripe, the rest of the world has switched to using EMV chips years ago.

 

[SaeedLohana]

too bad, they need to use latest available tech.

 

[509322]

Way to go with that magnetic stripe, the rest of the world has switched to using EMV chips years ago.

EMV chip cards are vulnerable and have been compromised in the past too.

 

[Fritz]

Well, if that's the conclusion we needn't secure stuff at all, everything's hackable…

 

[Dean Winchestere]

I always keep a "throwaway card" when I make any kind of purchases.. I never keep my money on that card other than to make that purchase. It's too risky nowadays.

 

[tryfon]

Dad's card was hacked, the people went and tried to buy FC Barcelona tickets

 

[509322]

Well, if that's the conclusion we needn't secure stuff at all, everything's hackable…

It's not a conclusion, just a statement of fact. EMV chip cards are more secure than magnetic strip-only cards, but they do not provide 100 % protection. Everything IT is ultimately insecure.

 

[Fritz]

@Lockdown I have a feeling you're barking up the wrong tree. You want to tell us that nothing is safe. We're at Malwartips. We know that.

Point is there is a more secure system readily available which still isn't implemented in one of the largest and modern economies.

While nothing is 100% secure, it doesn't mean you have to make it as easy as possible to get in. I lock my door even though you could always kick it in if you wanted to.

 

[Weebarra]

I always keep a "throwaway card" when I make any kind of purchases.. I never keep my money on that card other than to make that purchase. It's too risky nowadays.

What is a "throwaway card" ?

@Lockdown I have a feeling you're barking up the wrong tree. You want to tell us that nothing is safe. We're at Malwartips. We know that.

Point is there is a more secure system readily available which still isn't implemented in one of the largest and modern economies.

While nothing is 100% secure, it doesn't mean you have to make it as easy as possible to get in. I lock my door even though you could always kick it in if you wanted to.

What are the more secure options @Fritz ? Chip and pin are all i've ever owned and didn't know that other types exist. (i am just curious)

 

[Fritz]

What is a "throwaway card" ?

Well, a throwaway card is also known as a prepaid charge card. You can only spend the amount you deposit.
I use this type whenever I make purchases on the Internet, unless it's a big shop like Amazon.

What are the more secure options @Fritz ? Chip and pin are all i've ever owned and didn't know that other types exist. (i am just curious)

Cards with EMV and PIN are the secure option for the time being. They have replaced the magnetic stripe years ago pretty much all over the world, yet they're still prevalent in the U.S.A., hence my snide remark. It's kinda funny that they wouldn't use the more secure solution, since it's readily available. I mean we're not exactly talking about some fifth world country with problems bigger than just how safe their credit cards are.

And yes, it's far from perfect as well, but a 3-year-old can clone a magnetic stripe with a banana and an old door nail. EMV isn't quite that easy to hack.

It also differes a bit with the liability among countries, here in Germany I'd call up my bank and order the money back in case of fraud. No big deal, had somebody go shopping for almost 15k$ a few years ago and I got it right back after signing an affidavit.

Since I like to save myself from the trouble, I still use the prepaid card mostly. There's usually $100 on it and if they're gone, well; then they're gone. Hindsight is usually 20/20.

 

[Weebarra]

Well, a throwaway card is also known as a prepaid charge card. You can only spend the amount you deposit.
I use this type whenever I make purchases on the Internet, unless it's a big shop like Amazon.



Cards with EMV and PIN are the secure option for the time being. They have replaced the magnetic stripe years ago pretty much all over the world, yet they're still prevalent in the U.S.A., hence my snide remark. It's kinda funny that they wouldn't use the more secure solution, since it's readily available. I mean we're not exactly talking about some fifth world country with problems bigger than just how safe their credit cards are.

And yes, it's far from perfect as well, but a 3-year-old can clone a magnetic stripe with a banana and an old door nail. EMV isn't quite that easy to hack.

It also differes a bit with the liability among countries, here in Germany I'd call up my bank and order the money back in case of fraud. No big deal, had somebody go shopping for almost 15k$ a few years ago and I got it right back after signing an affidavit.

Since I like to save myself from the trouble, I still use the prepaid card mostly. There's usually $100 on it and if they're gone, well; then they're gone. Hindsight is usually 20/20.

Ah, thank you @Fritz for the explanation on both types of cards. I thought someone had come up with something new and i was still using "old" style cards.

Wow, Germany must have much better banking and fraud recovery systems than here in the UK, the banks here make you fight tooth and nail to get your money back and a lot of the responsibility is on the claimant to prove they didn't spend the money.

 

[Dean Winchestere]

In my honest opinion, the best way to secure your money, is to have your funds segregated into different accounts linked to different banks/cards. So if one card gets hacked, you won't be as severely affected financially, and the hassle of getting a new card, won't interrupt your daily life. To clarify, i keep one card for "spending" even for bills too. Because even legitimate utility companies are hacked. I can xfer the money to that account from another. You have to assume that your money is NOT SAFE in one place, and minimize the inconvenience/damage if that account is lost/hacked.

 

[Fritz]

Ah, thank you @Fritz for the explanation on both types of cards. I thought someone had come up with something new and i was still using "old" style cards.

You're most welcome @Weebarra That's why I consider it so hilarious, they're old news in Europe.

Wow, Germany must have much better banking and fraud recovery systems than here in the UK, the banks here make you fight tooth and nail to get your money back and a lot of the responsibility is on the claimant to prove they didn't spend the money.

In all fairness, I have to admit that it's been a while. This happened back in 2003 and in the meantime, there has been a liabilty shift as well as other possible policy changes so the claim handling might indeed be different now.

The one good thing that hasn't changed, though: when you're poor, there's not much to be stolen. So there's that.